Welcome to WebmasterWorld Guest from 54.167.213.22

Forum Moderators: phranque

Message Too Old, No Replies

What's this in my logs.

union+all+select appends to URLs

     
9:00 am on Oct 12, 2013 (gmt 0)

5+ Year Member



I had a recurring hacker on my site that was modifying the .htaccess file to include pharma links for search engine bots. I've since solved that problem by ditching Joomla (although I stress to add it was probably a dodgy Joomla extension rather than Joomla itself).

However I'm still curious to find out how they did it and whether they are still trying. Looking at my raw logs the one thing that really stands out is multiple attempts to load my listings.php script with and awful lot of code added to the query string. It happens hundreds of times in the logs, starting with an innocent looking:

GET /listing.php?id=10749 HTTP/1.1


- which is a valid request, but then shortly after that turns into:

GET /listing.php?id=10749%27+and+%27x%27%3D%27y HTTP/1.1


and then several hits later it can be:

GET /listing.php?id=999999.9+%2F*%2130000union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F-- HTTP/1.1


What I'm trying to figure out is what are they trying to do? SQL injection attack? Or is this possibly related to the previous attach on .htaccess?

The knowledge of my peers would be appreciated,

Thanks,

Xandir

[edited by: phranque at 11:06 am (utc) on Oct 12, 2013]
[edit reason] fix sidescroll [/edit]

10:30 am on Oct 12, 2013 (gmt 0)



If you decode the first url you get:

10749' and 'x'='y

So it looks like a SQL injection but normally a hacker would use the OR function and not the AND...
7:34 pm on Oct 12, 2013 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



You can and should add rules that simply block requests like these.
8:28 pm on Oct 12, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I'm still curious to find out how they did it and whether they are still trying.

The format of the request doesn't matter. The absolutely VITAL question is: how did they get into your htaccess, and what did you do to ensure nobody can ever do it again? Do you trust your host?

phranque, I hope you appreciate that your browser window is at least twice as wide as mine :(
 

Featured Threads

Hot Threads This Week

Hot Threads This Month